ATT 3b2 firmware password

[James R. Van Artsdalen]

As the posting system name should indicate, we have and use a 3b2.  We are quite
pleased with it.  I would certainly agree that it is overpriced at list, but
we bought ours used for a good deal less than list.  It supports about 12
people total, with 5 on-line at once (averaging three or four throughout a
day).

In article <305 at pinney.munsell.UUCP>, pac at munsell.UUCP (Paul Czarnecki) writes:
> I have some friends with an ATT 3b2 that has a firmware password in it. 
> They'ld like to rebuild thier kernal but they can't because a previous
> and long gone engineer changed this firmware password. 
> 
> The documentation seems lacking (for obvious reasons) about how to
> defeat this protection scheme. 
> 
> (Why don't they call ATT and ask them? Well, you see, they don't quite
> actually own the machine.  Soon after they bought it they discovered
> that it was a much better space heater or boat anchor than a computer. 
> They notified ATT that the machine did not satisfy them and to please
> come take it away.  Much letters and lawyers later, ATT cancelled the
> bill but never picked up the machine.  This was over a year ago.  Now
> they actually have a need for it.)

The 3b2 runs extremely cool.  It is shaped like a small box.  It would make
neither a good space heater nor a good boat anchor.   :-)  Seriously it sounds
like these people had no business buying a computer if they needed something
bigger than a 3b2 but didn't realize it until _after_ taking delivery.  Be
serious folks and hire a good consultant when you spend lots of money on
things you don't understand (obviously this audience doesn't need this
reminder, but some people still do).

> (I knew it wasn't a computer when one day, frustrated beyond belief at
> it, I reached around and powered the beast off.  On my screen flashes
> the words, "System shutdown in 5 minutes." I sprinkled some holy water,
> drew a pentagram around it, and cut the main power switch to the
> building.:-)

DEFINITELY hire a consultant to select your computer!  Just what did you
expect to happen when you pulled the power cord?  Did you expect it to get
better???  Did you disbelieve that in fact the computer would be off in
five minutes?  The 3b2 is like any other computer: software problems are best
solved with the power on...

> If anyone knows how to do this please send me mail.  PLEASE DO NOT POST
> SUCH AN OBVIOUS SECURITY HOLE NOR WILL I SUMMERIZE TO THE NET. 

No hole exists of that form: physical access is required to defeat the
firmware.  And in any case the answer is rather obvious: disconnect the
battery for a little bit.  Once the battery is reconnected the firmware
will default to the original password.  This is no less a security hole than
with any other computer: once you have unimpeded physical access by someone
who knows the hardware & software (as is required to break security in this
manner) you have the computer and its data.

I realize I've sounded a bit heavy-handed in this article, but you gave
several misleading impressions in your article.  The 3b2 is not junk: were
you expecting a VAX or something?  It's a fairly reliable machine that runs
5 people very well to my experience (albeit that it's a bit overpriced).
Secondly there is no real security hole with the firmware password:  Simple
physical security will prevent someone from changing the password in this
manner.  And finally, shutting off the computer out of frustration, especially
arbitrarily removing power when the system would clearly complete the cycle
on its own, it rather poor technique.  One should never risk the file
system(s) by simply removing power.  At one point I had our 3b2 up for 5
continuous months without a reboot, and without a glitch.  Turning off power
nightly simply isn't the way to run a unix system...  I've cross-posted
this article to net.micro.att: you should be able to get other questions
answered there.
-- 
James R. Van Artsdalen    ...!ut-ngp!utastro!osi3b2!james    Live Free or Die